State laws have always been a tricky subject when the internet gets involved. Unless your business is large enough to hire a squadron of legal representatives, you just have to accommodate for them. In this article, I’m going to outline three of these state laws which may apply to your business. Fair warning: This article should in no way be construed as legal advice. I’m not a lawyer and I don’t even play one on TV.
Law: CalOPPA (California Online Privacy Protection Act)
Who it applies to: Any commercial website or online service that collects personal information about “individual consumers residing in California who use or visit its commercial Web site or online service.”
If you decide instead to respond to “Do Not Track” messages, you will need to disclose how you respond, and while CalOPPA doesn’t specifically define how detailed your disclosure must be, it’s safe to assume that such disclosure should be accurate.
Fortunately most websites already have privacy policies, and adding a few lines that state you don’t respond to those messages, or alternately do and your practices around that, isn’t too difficult a task.
Law: NRS 603A (Security of Personal information)
Who it applies to: This law applies to “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information” of Nevada residents.
What the law requires: This security law sets forth a number of legal obligations for those to whom the law applies. In a nutshell, these obligations include:
- Protocols surrounding the destruction of records containing personal information. (603A.200)
- The maintenance of “reasonable security measures to protect” those records. (603A.210)
- The disclosure of breaches which affected the stored personal information of NV residents. (603A.220)
- Mandatory PCI Compliance for organizations that accept payment cards. (603A.227)
- The encryption of Nevada residents PI in transmission, and during the movement of storage devices. (603A.227)
What does this mean in a general sense? Well, if this law applies to you or your clients’ businesses, then you have a lot of work to do. Fortunately, these compliance requirements are fairly typical and you may not have to make any changes at all if you’re already PCI compliant. If you do business with residents of Nevada and you’re not following these practices… well, I highly recommend you start working to follow these practices immediately. Some sources point out that this law technically has a national and international reach for any group handling the personal information of Nevada residents.
Law: 201 CMR 17.00
Who it applies to: Every person or organization that owns or licenses personal information about a resident of Massachusetts and electronically stores or transmits such information.
What the law requires: Fortunately this law is written in a fairly comprehensive way, so it is quite easy to explain. For those to whom this law applies, it is required that a comprehensive information security program exist, and that said program cover all computers and networks to the extent which is technically feasible. This security program, when feasible, is required to…
Have secure user authentication protocols which provide:
- Control over user IDs and other identifiers.
- Reasonably secure assignment and selection of passwords, or use of unique identifier technologies, such as multi-factor authentication.
- Control of passwords to ensure they are kept in a location and/or format that does not compromise the security of the data they protect.
- Restriction of access to active users and active user accounts only.
- The ability to block access after multiple unsuccessful access attempts, or limitation placed for the particular system.
Secure access control measures that:
- Restrict access to records and files containing personal information to those who need such information for their job.
- Assign unique identifications and passwords, which are not the vendor supplied default to any person with access.
As well, the security program must include:
- Encryption of all transmitted records and files containing PI which will travel across public networks or wirelessly.
- Reasonable monitoring of systems for unauthorized use of or access to personal information.
- Encryption of all personal information stored on laptops or other portable devices.
- Require a reasonably up-to-date firewall protection and operating system security patches for systems containing personal information which are connected to the Internet.
- Reasonably up-to-date versions of system security software which must include malware protection with reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Education of employees on the proper use of the computer security system and personal information security.
As you can see, I saved the best for last. This law, just like the one from the state of Nevada, can have a national or international reach. Now I didn’t write all of this for you to panic about. I feel that these three laws serve as a good motivation for any business to improve their IT security and IT policies in general. Additionally, these three laws in combination provide a great framework that any business could build their IT security upon. Security is not the job of a single person, nor is it the job of a single business, instead it is a task for everyone.
The first step to building a good home is laying down a strong foundation. Similarly, the first step to building a strong and compliant IT infrastructure is finding the right platform to build upon. Kaseya was designed and built with security as the fundamental building block to its core architecture.